We just setup a DMZ at a new client to host a RODC and SCCM server for internet client connectivity. We created a GPO with the needed WFAS connection rules to secure communication from the internal DCs <-> DMZ DC, this works great and all communication is over IPSec. We now have a SCCM server in the DMZ that needs to talk to the SQL server internally, our connection rules include this. But, it just won't connect. I can see the connection under main mode & quick mode on both servers, but no traffic flows either way. The checkpoint firewall in the middle doesn't show anything being blocked, we can see the initial connection communicate through. For the life of me I can not figure out how to enable on the server or view the logs, to diagnose why the IPSec is not flowing.

Both servers are Windows 2016 and have the same patches applied. The SQL server is a Server Core setup, so command line only.

Does anyone have any ideas on how to enable logging for WFAS w/ IPSec connection rules, and where/how to view the logs? I'm pretty optimistic that if I could view the logs and see and errors that I would be able to figure out what needs to be fixed.